Comparing Annex A in ISO/IEC 27001:2013 vs. ISO/IEC 27001:2022

I wrote ages ago this article, where I compared briefly the Annex A in the two versions of the standard: https://www.sorinmustaca.com/annex-a-of-iso-27001-2022-explained/

But, I feel that there is still need to detail a bit the changes, especially that now more and more business are forced to re-audit for the newer standard.

 

Overview of Annex A

Each of these categories encompasses a set of controls designed to address specific aspects of information security management within an organization. These categories encompass policies, procedures, and technical and organizational measures designed to safeguard critical assets, prevent unauthorized access, and mitigate security threats.

The primary purpose of Annex A controls is to guide organizations in selecting appropriate security measures based on their specific context and identified risks. They are not mandatory requirements but serve as best practices for information security management.

Many auditors or practitioners are recommending to not focus exclusively on these controls, because they will not help you in the end to pass the audit. I agree, to not rely exclusively on them, but only to use them as a starting point.

 

  • 2013 edition:

    • 114 controls

    • Grouped in 14 control domains (e.g., A.5 Information Security Policies, A.6 Organization of Information Security, etc.).

    • Numbering is A.x.y.z.

  • 2022 edition:

    • 93 controls (reduced by consolidation, merging, and restructuring).

    • Grouped in 4 control themes:

      • Organizational (37 controls)

      • People (8 controls)

      • Physical (14 controls)

      • Technological (34 controls)

    • Numbering is A.5–A.8 only, reflecting the 4 control themes.

 

New Controls Introduced in 2022

ISO/IEC 27001:2022 introduced 11 new controls to address modern risks. Each expands the ISMS scope to include practices that were not explicitly covered in the 2013 edition.

I personally love this addition, because now the standard is in sync with the reality out there. I especially love the A.8.28 Secure Coding, which has been far too long ignored, despite the evidence that all major exploits have been caused by not respecting secure coding standards.

  1. A.5.7 Threat Intelligence

    • Requires collection and analysis of threat intelligence.

    • Sources: security vendors, government advisories, industry ISACs, internal incident data.

    • Outcome: anticipate and defend against emerging attack methods.

  2. A.5.23 Information Security for Use of Cloud Services

    • Establishes rules for assessing and managing cloud providers.

    • Covers due diligence, contracts, data residency, shared responsibility.

    • Goal: ensure cloud adoption is secure and consistent.

  3. A.5.30 ICT Readiness for Business Continuity

    • Ensures IT and communications systems are resilient to disruptions.

    • Focus: backup, recovery testing, failover, disaster readiness.

    • Bridges ISMS with business continuity (ISO 22301).

  4. A.7.4 Physical Security Monitoring

    • Monitoring of physical facilities using CCTV, access logs, alarms, motion sensors.

    • Detects unauthorized access and environmental hazards.

    • Complements access restriction controls.

  5. A.8.9 Configuration Management

    • Requires baseline configurations for systems and software.

    • Covers patching, secure hardening, prevention of unauthorized changes.

    • Reduces risks from misconfigurations.

  6. A.8.10 Information Deletion

    • Secure and verified erasure of data when no longer needed.

    • Applies to disks, mobile devices, cloud storage, and backups.

    • Prevents data recovery by unauthorized parties.

  7. A.8.11 Data Masking

    • Techniques to obscure sensitive information.

    • Useful in non-production environments and analytics.

    • Supports privacy requirements (GDPR, HIPAA, etc.).

  8. A.8.12 Data Leakage Prevention (DLP)

    • Deployment of technical and procedural measures to prevent data leaks.

    • Examples: DLP software, email scanning, outbound traffic filtering.

    • Helps against insider threats and accidental data loss.

  9. A.8.16 Monitoring Activities

    • Expands on logging to include continuous monitoring of systems and networks.

    • Goal: real-time detection of anomalies and policy violations.

    • Supports SOC operations and incident response.

  10. A.8.23 Web Filtering

  • Restricts or blocks access to malicious or inappropriate websites.

  • Prevents phishing, malware, and unauthorized browsing.

  • Often implemented via secure DNS or proxy gateways.

  1. A.8.28 Secure Coding

  • Mandates secure software development practices.

  • Includes developer training, code review, automated scanning, use of vetted libraries.

  • Supports DevSecOps integration and early vulnerability prevention.

 

Merged Controls

Some 2013 controls were consolidated to reduce duplication:

  • Logging and monitoring (A.12.4.1–A.12.4.3, 2013) merged into A.8.15 & A.8.16 (2022).

  • Cryptographic controls (A.10.1.1, A.10.1.2, 2013) merged into A.8.24 (2022).

  • Access management controls consolidated into A.5.15–A.5.18 (2022).

 

Removed / Reorganized Controls

No controls were truly eliminated; instead, they were rephrased or merged.

  • Example: Removal of assets (A.11.2.7, 2013) became part of Return of assets (A.5.9, 2022).

  • Teleworking and mobile device policies combined under broader organizational controls.

 

Attributes in Annex A (2022)

A new classification model (“attributes”) was introduced to tag each control.

Categories include:

  • Control type: Preventive, Detective, Corrective

  • Security properties: Confidentiality, Integrity, Availability

  • Cybersecurity concepts: Identify, Protect, Detect, Respond, Recover (aligned with NIST CSF)

  • Operational capabilities: Governance, Asset management, Identity, Resilience, etc.

  • Security domains: Align with organizational, people, physical, technological

Why Attributes Matter

This enables flexible mapping to frameworks like NIST, CIS, and especially TISAX.

  • They make ISO 27001 more practical and flexible.

  • Help you cross-map ISO 27001 controls to:

    • NIST CSF (via cybersecurity concepts)

    • CIA triad (via security properties)

    • Defense-in-depth planning (via control type)

  • Useful for gap analysis: you can check whether your ISMS is too prevention-heavy and weak on detection or recovery.

  • Improve communication with stakeholders: executives, auditors, regulators, or IT operations can each view controls in the lens that matters most to them.

In simple words: Attributes are like tags in a library. They don’t change the book (control), but they let you find it faster depending on whether you search by topic, author, or year.

Since TISAX is my favorite certification (ok, ok, it is a label, but bare with me here) I need to point to the column P. “Reference to other standards”, where this cateogry has been used several times.

Reference “3.1.10” in Cell P50 from the ISA-VDA-6.0.3:

3 -> Cybersecurity Concept

1 -> Detect

10 -> Control Identifier

This ia a Mapping between control A.8.15 (=Logging) und  Cybersecurity Concept: Detect von NIST CSF :

Identifier   Control_Code   Title
3.1.1  A.7. X Employee event reporting
3.1.2 A.7. X Information security event reporting
3.1.3 A.5.24 Information security incident planning/prep
3.1.4 A.5.25 Assessment & decision on info security events
3.1.5 A.5.26 Response to information security incidents
3.1.6 A.5.27 Learning from information security incidents
3.1.7 A.7.4 Physical security monitoring
3.1.8 A.8.12 Data leakage prevention
3.1.9 A.8.16 Monitoring activities
3.1.10 A.8.15 Logging

A.8.15 Logging -> mapping -> Cybersecurity Concept: Detect

This is useful for aligning ISO/IEC 27001 with NIST CSF, TISAX, ISA/IEC 62443, and others .

I think there is a lot more to write about them, perhaps in another article.

 

Summary

2013 Control (Domain) 2022 Control (Theme) Notes
A.5.1.1 Information security policy A.5.1 Policies for information security Mostly unchanged
A.5.1.2 Review of policies A.5.1 Policies for information security Merged
A.6.1.1 Roles and responsibilities A.5.2 Information security roles and responsibilities Direct
A.6.1.2 Segregation of duties A.5.3 Segregation of duties Direct
A.6.1.3 Contact with authorities A.5.4 Contact with authorities Direct
A.6.1.4 Contact with special interest groups A.5.5 Contact with special interest groups Direct
A.6.1.5 Project management A.5.8 Information security in project management Expanded
A.6.2.1 Mobile device policy A.6.2.1 (2013) merged → A.6.2 (2022 People theme) Consolidated
A.6.2.2 Teleworking A.5.10 Acceptable use of information and other assets + A.5.11 Return of assets Reorganized
A.7.1.1 Screening A.6.1 Screening Direct
A.7.1.2 Terms of employment A.6.2 Terms of employment Direct
A.7.2.1 Management responsibilities A.6.3 Management responsibilities Direct
A.7.2.2 Information security awareness, education, and training A.6.4 Information security awareness, education, and training Direct
A.7.2.3 Disciplinary process A.6.5 Disciplinary process Direct
A.7.3 Termination/responsibilities A.5.9 Return of assets Consolidated
A.8.1.1 Inventory of assets A.5.9 Inventory of information and other assets Direct
A.8.1.2 Ownership of assets A.5.9 Inventory of information and other assets Consolidated
A.8.1.3 Acceptable use of assets A.5.10 Acceptable use of information and other assets Direct
A.8.1.4 Return of assets A.5.11 Return of assets Direct
A.8.2.1 Classification of information A.5.12 Classification of information Direct
A.8.2.2 Labeling of information A.5.13 Labelling of information Direct
A.8.2.3 Handling of assets A.5.14 Handling of information Direct
A.8.3.1 Management of removable media A.8.10 Information deletion Merged/expanded
A.8.3.2 Disposal of media A.8.10 Information deletion Direct
A.8.3.3 Physical media transfer A.5.14 Handling of information Consolidated
A.9.1.1 Access control policy A.5.15 Access control Direct
A.9.1.2 Access to networks and services A.5.16 Access to network and network services Direct
A.9.2.x User access management (all) A.5.17–A.5.18 Consolidated
A.9.3 User responsibilities A.5.18 Access rights Direct
A.9.4 System and application access A.5.19–A.5.22 Expanded
A.10.1.1 Policy on cryptographic controls A.8.24 Use of cryptography Direct
A.10.1.2 Key management A.8.25 Key management Direct
A.11.x Physical and environmental controls A.7.1–A.7.4 Simplified/merged
A.12.1.x Operational procedures A.8.1–A.8.8 Direct
A.12.4.1–A.12.4.3 Logging & monitoring A.8.15–A.8.16 Monitoring activities Merged
A.12.5.x Control of operational software A.8.7–A.8.9 Consolidated
A.12.6.x Technical vulnerability mgmt. A.8.8 Management of technical vulnerabilities Direct
A.13.1.x Network security controls A.8.20 Network security Direct
A.13.2.x Information transfer A.5.14 Handling of information Consolidated
A.14.1.x Security requirements for IS A.8.26 Application security requirements Direct
A.14.2.1 Secure development policy A.8.28 Secure coding Expanded
A.14.2.5 Secure system engineering A.8.27 Secure system architecture and engineering principles Direct
A.15.1 Supplier security A.5.19 Supplier relationships Direct
A.15.2 Supplier service delivery mgmt. A.5.20–A.5.21 Consolidated
A.16.1.x Incident mgmt. A.5.25–A.5.27 Direct
A.17.1 Business continuity planning A.5.29 ICT readiness for business continuity Expanded
A.18.1 Compliance with legal A.5.32 Compliance obligations Direct
A.18.2 Information security reviews A.5.33 Independent review of information security Direct

 

 

Conclusions

  • The shift from ISO/IEC 27001:2013 to ISO/IEC 27001:2022 is less about reducing the number of controls and more about modernizing and simplifying them.

While the 2013 version spread 114 controls across 14 domains, the 2022 edition organizes 93 controls into just four clear themes. This makes the standard easier to understand and apply.

The addition of 11 new controls shows how the standard has kept pace with today’s security challenges: cloud services, secure coding, threat intelligence, data leakage prevention, and stronger monitoring.

At the same time, many older controls were merged or rephrased, removing overlaps and making the framework more practical.

  • Perhaps the biggest improvement is the introduction of attributes. These tags let organizations view the controls through different lenses — confidentiality, integrity, availability, NIST CSF functions, or operational capabilities. That flexibility makes it much easier to map ISO 27001 to other frameworks and compliance requirements.
  • For organizations, the transition means more than just updating documentation. It is an opportunity to strengthen governance, align with modern practices, and close gaps in areas that were not well covered before, such as cloud and DevSecOps.

Related Posts

Risk Assessment of AWS services used in building a resilient Web App on AWS

We wrote here in the article “Building Resilient Web Applications on AWS: A Comprehensive Approach to Security” how to use certain AWS services to implement a resilient web based application. The services mentioned require also a brief analysis in respect to Security, Confidentiality, Integrity, Availability and Privacy.   CloudTrail AWS CloudTrail records API calls and creates […]

Understanding ISO 27001:2022 Annex A.8 – Asset Management

  ISO 27001:2022 Annex A.8, “Asset Management,” addresses the importance of identifying, classifying, and managing information assets within an organization. This annex emphasizes the need for organizations to establish processes for inventorying assets, assessing their value, and implementing appropriate controls to protect them. In this technical educational article, we’ll explore how to implement Annex A.8 […]

ISO 27001:2022 and TISAX: overlaps and differences

Introduction ISO 27001:2022 and TISAX VDA ISA 6.0 are two prominent standards in the realm of information security management, particularly within the automotive industry. While ISO 27001 provides a global framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS), TISAX (Trusted Information Security Assessment Exchange), based on the VDA ISA […]